Digi
/
meta-digi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

linux: move Trustfence signing into include file to be used by different kernel versions 

Signed-off-by: Mike Engel <Mike.Engel@digi.com>
This commit is contained in:
Mike Engel 2022-02-14 13:11:53 +01:00
parent 56d7133147
commit d78d601841
3 changed files with 57 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
meta-digi-arm/recipes-kernel/linux/linux-dey-src.inc
View File

@ -3,7 +3,6 @@
LICENSE = "GPLv2" LICENSE = "GPLv2"
LOCALVERSION = "-dey" LOCALVERSION = "-dey"
SRCREV = "${AUTOREV}"
# Select internal or Github Linux repo # Select internal or Github Linux repo
DIGI_LOG_REPO = "linux-2.6.git" DIGI_LOG_REPO = "linux-2.6.git"

51
meta-digi-arm/recipes-kernel/linux/linux-dey_5.4.bb
View File

@ -5,66 +5,17 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "lzop-native bc-native" DEPENDS += "lzop-native bc-native"
DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
inherit kernel fsl-kernel-localversion inherit kernel fsl-kernel-localversion
SRCBRANCH = "v5.4.70/master" SRCBRANCH = "v5.4.70/master"
require recipes-kernel/linux/linux-dey-src.inc require recipes-kernel/linux/linux-dey-src.inc
require ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'linux-virtualization.inc', '', d)} require ${@bb.utils.contains('DISTRO_FEATURES', 'virtualization', 'linux-virtualization.inc', '', d)}
require recipes-kernel/linux/linux-trustfence.inc
# Use custom provided 'defconfig' if variable KERNEL_DEFCONFIG is cleared # Use custom provided 'defconfig' if variable KERNEL_DEFCONFIG is cleared
SRC_URI += "${@oe.utils.conditional('KERNEL_DEFCONFIG', '', 'file://defconfig', '', d)}" SRC_URI += "${@oe.utils.conditional('KERNEL_DEFCONFIG', '', 'file://defconfig', '', d)}"
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}"
trustfence_sign() {
# Set environment variables for trustfence configuration
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
# Sign/encrypt the kernel images
for type in ${KERNEL_IMAGETYPES}; do
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
if [ "${type}" = "Image.gz" ]; then
# Sign the uncompressed Image
KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image
fi
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}"
if [ "${type}" = "Image.gz" ]; then
# Compress the signed Image and restore the original filename
gzip "${TMP_KERNEL_IMAGE_SIGNED}"
mv "${TMP_KERNEL_IMAGE_SIGNED}.gz" "${TMP_KERNEL_IMAGE_SIGNED}"
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
fi
mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}"
done
# Sign/encrypt the device tree blobs
for DTB in ${KERNEL_DEVICETREE}; do
DTB=`normalize_dtb "${DTB}"`
DTB_EXT=${DTB##*.}
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)"
if [ "${DTB_EXT}" = "dtbo" ]; then
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -o "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
else
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
fi
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
done
}
trustfence_sign[dirs] = "${DEPLOYDIR}"
do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH"
FILES_${KERNEL_PACKAGE_NAME}-image += "/boot/config-${KERNEL_VERSION}" FILES_${KERNEL_PACKAGE_NAME}-image += "/boot/config-${KERNEL_VERSION}"
# Don't include kernels in standard images # Don't include kernels in standard images

56
meta-digi-arm/recipes-kernel/linux/linux-trustfence.inc Normal file
View File

@ -0,0 +1,56 @@
# Copyright (C) 2022 Digi International
LICENSE = "GPLv2"
DEPENDS += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence-sign-tools-native', '', d)}"
do_deploy[postfuncs] += "${@oe.utils.conditional('TRUSTFENCE_SIGN', '1', 'trustfence_sign', '', d)}"
trustfence_sign() {
# Set environment variables for trustfence configuration
export CONFIG_SIGN_KEYS_PATH="${TRUSTFENCE_SIGN_KEYS_PATH}"
[ -n "${TRUSTFENCE_KEY_INDEX}" ] && export CONFIG_KEY_INDEX="${TRUSTFENCE_KEY_INDEX}"
[ -n "${TRUSTFENCE_DEK_PATH}" ] && [ "${TRUSTFENCE_DEK_PATH}" != "0" ] && export CONFIG_DEK_PATH="${TRUSTFENCE_DEK_PATH}"
[ -n "${TRUSTFENCE_SIGN_MODE}" ] && export CONFIG_SIGN_MODE="${TRUSTFENCE_SIGN_MODE}"
# Sign/encrypt the kernel images
for type in ${KERNEL_IMAGETYPES}; do
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
if [ "${type}" = "Image.gz" ]; then
# Sign the uncompressed Image
KERNEL_IMAGE=${WORKDIR}/build/arch/arm64/boot/Image
fi
TMP_KERNEL_IMAGE_SIGNED="$(mktemp ${KERNEL_IMAGE}-signed.XXXXXX)"
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -l "${KERNEL_IMAGE}" "${TMP_KERNEL_IMAGE_SIGNED}"
if [ "${type}" = "Image.gz" ]; then
# Compress the signed Image and restore the original filename
gzip "${TMP_KERNEL_IMAGE_SIGNED}"
mv "${TMP_KERNEL_IMAGE_SIGNED}.gz" "${TMP_KERNEL_IMAGE_SIGNED}"
KERNEL_IMAGE="${type}-${KERNEL_IMAGE_NAME}.bin"
fi
mv "${TMP_KERNEL_IMAGE_SIGNED}" "${KERNEL_IMAGE}"
done
# Sign/encrypt the device tree blobs
for DTB in ${KERNEL_DEVICETREE}; do
DTB=`normalize_dtb "${DTB}"`
DTB_EXT=${DTB##*.}
DTB_BASE_NAME=`basename ${DTB} ."${DTB_EXT}"`
DTB_IMAGE="${DTB_BASE_NAME}-${KERNEL_IMAGE_NAME}.${DTB_EXT}"
TMP_DTB_IMAGE_SIGNED="$(mktemp ${DTB_IMAGE}-signed.XXXXXX)"
if [ "${DTB_EXT}" = "dtbo" ]; then
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -o "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
else
trustfence-sign-artifact.sh -p "${DIGI_FAMILY}" -d "${DTB_IMAGE}" "${TMP_DTB_IMAGE_SIGNED}"
fi
mv "${TMP_DTB_IMAGE_SIGNED}" "${DTB_IMAGE}"
done
}
trustfence_sign[dirs] = "${DEPLOYDIR}"
do_deploy[vardeps] += "TRUSTFENCE_SIGN_KEYS_PATH TRUSTFENCE_KEY_INDEX TRUSTFENCE_DEK_PATH"